HIPAA Notice

Your Information. Your Rights. Our Responsibilities.

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

You have the right to:

Your Rights

Get a copy of your paper or electronic medical record

Correct your paper or electronic medical record

Request confidential communication

Ask us to limit the information we share

Get a list of those with whom we’ve shared your information

Get a copy of this privacy notice

Choose someone to act for you

File a complaint if you believe your privacy rights have been violated

Your Choices

You have some choices in the way that we use and share information as we:

Tell family and friends about your condition

Provide disaster relief

Include you in a hospital directory

Provide mental health care

Market our services and sell your information

Raise funds

Our Uses and Disclosures

We may use and share your information as we:

Treat you

Run our organization

Bill for your services

Help with public health and safety issues

Do research

Comply with the law

Respond to organ and tissue donation requests

Work with a medical examiner or funeral director

Address workers’ compensation, law enforcement, and other government requests

Respond to lawsuits and legal actions

Your Rights

When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.

Get an electronic or paper copy of your medical record

You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. Ask us how to do this.

We will provide a copy or a summary of your health information, usually within 30 days of your request. We may charge a reasonable, cost-based fee.

Ask us to correct your medical record

You can ask us to correct health information about you that you think is incorrect or incomplete. Ask us how to do this.

We may say “no” to your request, but we’ll tell you why in writing within 60 days

Request confidential communications

You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.

We will say “yes” to all reasonable requests.

Ask us to limit what we use or share

You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.

If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.

Get a list of those with whom we’ve shared information

You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why.

We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.

Get a copy of this privacy notice

You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy promptly.

Choose someone to act for you

If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.

We will make sure the person has this authority and can act for you before we take any action.

File a complaint if you feel your rights are violated

You can complain if you feel we have violated your rights by contacting us using the information on page 1.

You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/.

We will not retaliate against you for filing a complaint.

Your Choices

For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, talk to us. Tell us what you want us to do, and we will follow your instructions.

In these cases, you have both the right and choice to tell us to:

Share information with your family, close friends, or others involved in your care

Share information in a disaster relief situation

Include your information in a hospital directory

If you are not able to tell us your preference, for example if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.

In these cases we never share your information unless you give us written permission:

Marketing purposes

Sale of your information

Most sharing of psychotherapy notes

In the case of fundraising:

We may contact you for fundraising efforts, but you can tell us not to contact you again.

Our Uses and Disclosures

How do we typically use or share your health information?

We typically use or share your health information in the following ways.

Treat you

We can use your health information and share it with other professionals who are treating you.

Example: A doctor treating you for an injury asks another doctor about your overall health condition.

Run our organization

We can use and share your health information to run our practice, improve your care, and contact you when necessary.

Example: We use health information about you to manage your treatment and services.

Bill for your services

We can use and share your health information to bill and get payment from health plans or other entities.

Example: We give information about you to your health insurance plan so it will pay for your services.

How else can we use or share your health information?

We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html.

Help with public health and safety issues

We can share health information about you for certain situations such as:

Preventing disease

Helping with product recalls

Reporting adverse reactions to medications

Reporting suspected abuse, neglect, or domestic violence

Preventing or reducing a serious threat to anyone’s health or safety

Do research

We can use or share your information for health research.

Comply with the law

We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.

Respond to organ and tissue donation requests

We can share health information about you with organ procurement organizations.

Work with a medical examiner or funeral director

We can share health information with a coroner, medical examiner, or funeral director when an individual dies.

Address workers’ compensation, law enforcement, and other government requests

We can use or share health information about you:

For workers’ compensation claims

For law enforcement purposes or with a law enforcement official

With health oversight agencies for activities authorized by law

For special government functions such as military, national security, and presidential protective services

Respond to lawsuits and legal actions

We can share health information about you in response to a court or administrative order, or in response to a subpoena.

Our Responsibilities

We are required by law to maintain the privacy and security of your protected health information.

We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.

We must follow the duties and privacy practices described in this notice and give you a copy of it.

We will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.

For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html.

We are HIPAA Complaint

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States law that regulates the collection and handling of “protected health information” (PHI). Certain organizations called “covered entities” and their business associates are required to comply with HIPAA.

We are “HIPAA-compliant”. This means that we offer a service that enables covered entities to collect and manage PHI through our services in a manner compliant with HIPAA. As part of offering this service, 9zest ensures that it operates in a way that is consistent and compatible with those laws and 9zest’s role as a business associate to a covered entity user.

If you are a Coach, an agency supplying Coaches, or third party agency registered with 9zest, Inc. you must enter into a Business Associate Agreement (BAA) with 9zest, Inc. to enable HIPAA-compliance features on your account or team. In accordance with our Terms & Conditions 9zest only permits PHI to be collected by regulated entities if it is done through a “HIPAA-enabled account” with a business associate agreement (BAA) in place.

9zest’s Business Associate Agreement

9zest offers a standard form BAA which meets the requirements of HIPAA and lets covered entities enter into it within their 9zest account. When a covered entity accepts the BAA, the name and title of the individual signing on behalf of the entity is recorded, along with the date of acceptance. A copy of the BAA is then made available for download or future reference through the My Account page. Upon acceptance of the BAA, an account will be converted into a HIPAA-enabled account.

We acknowledge that some covered entities have certain items they need to include in BAAs with their business associates. Due to the fact that we offer HIPAA-enabled accounts at no additional cost, we do not negotiate customer form BAAs.

HIPAA Security Measures that 9zest Employes

As required by HIPAA, we implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that we receive, maintain, and transmit on behalf of covered entities with respect to their HIPAA-enabled accounts. These safeguards include measures required by the Security Rule, such as:

Regular risk assessments of systems to ensure that safeguards remain relevant and effective

Assigned security team which is responsible for maintaining compliance with HIPAA’s security requirements

Screening, authorization, and training of 9zest staff who come into contact with customer PHI

Data backup plans

Disaster recovery plans

Systems regularly monitored, updated, and patched

Incident response plan that includes reporting of security incidents to affected covered entities

All communications with 9zest servers encrypted with SSL

For more information, see our Security Statement.

Feature List

The following features required by HIPAA are activated on your account. These features help covered entities to comply with their own HIPAA obligations:

Security reminders: We remind users of their HIPAA obligations with in-product messages that appear whenever they perform certain sensitive operations on PHI (such as exporting therapy data that could potentially be shared with third parties).

Automatic logoff: We time out user sessions after 30 minutes of inactivity.